Public bug reported: This is a request for BLACKLISTING and REMOVAL of the Electrum Bitcoin Wallet program from the repositories.
This request comes with the following considerations: (1) The Electrum Wallet upstream latest release is 2.4. The version in all our repositories are at least one year old. (2) Debian has identified issues with the 2.0+ code which prevents updating, including but not limited to (please refer to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792231#22) : (a) tlslite dependency for the package and code was removed (b) 2.0+ code has poor handling of certificate verification, including not verifying the use purpose of a certificate, meaning there is an MITM vector when it reaches out to Electrum servers. (3) There were multiple additional changes in 2.0+ which can break reverse compatibility, including: (a) A bitcoin blockchain soft-fork on July 4th, 2015, which only the newer Electrum versions know about. (b) There are significant client-to-server communication improvements, security, and bug fixes, which only exist in the 2.0+ code. (c) Wallet seed codes from newer versions cannot work with the older versions that exist. After a discussion in #ubuntu-motu with Iain Lane, he suggested poking the security team. After further discussion in #ubuntu-hardened with Steve Beattie, and Seth Arnold, briefly, upon which I said it was my belief it should be removed from Wily and a sync blacklist imposed, it was said by Steve Beattie that it seems a sensible course of action to remove Electrum from Wily and impose a sync blacklist. There are no reverse dependencies, nor reverse build dependencies that I could identify. ** Affects: electrum (Ubuntu) Importance: Undecided Status: New ** Description changed: This is a request for BLACKLISTING and REMOVAL of the Electrum Bitcoin Wallet program from the repositories. This request comes with the following considerations: (1) The Electrum Wallet upstream latest release is 2.4. The version in all our repositories are at least one year old. (2) Debian has identified issues with the 2.0+ code which prevents updating, including but not limited to (please refer to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792231#22) : - (a) tlslite dependency for the package and code was removed - (b) 2.0+ code has poor handling of certificate verification, including not verifying the use purpose of a certificate, meaning there is an MITM vector when it reaches out to Electrum servers. + (a) tlslite dependency for the package and code was removed + (b) 2.0+ code has poor handling of certificate verification, including not verifying the use purpose of a certificate, meaning there is an MITM vector when it reaches out to Electrum servers. (3) There were multiple additional changes in 2.0+ which can break reverse compatibility, including: - (a) A bitcoin blockchain soft-fork on July 4th, 2015, which only the newer Electrum versions know about. - (b) There are significant client-to-server communication improvements, security, and bug fixes, which only exist in the 2.0+ code. - (c) Wallet seed codes from newer versions cannot work with the older versions that exist. + (a) A bitcoin blockchain soft-fork on July 4th, 2015, which only the newer Electrum versions know about. + (b) There are significant client-to-server communication improvements, security, and bug fixes, which only exist in the 2.0+ code. + (c) Wallet seed codes from newer versions cannot work with the older versions that exist. After a discussion in #ubuntu-motu with Iain Lane, he suggested poking the security team. After further discussion in #ubuntu-hardened with Steve Beattie, and Seth Arnold, briefly, upon which I said it was my belief it should be removed from Wily and a sync blacklist imposed, it was said by Steve Beattie that it seems a sensible course of action to remove Electrum from Wily and impose a sync blacklist. + + There are no reverse dependencies, nor reverse build dependencies that I + could identify. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1481033 Title: Please remove electrum from the archive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/electrum/+bug/1481033/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
